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Architectural Design Rewriting (ADR, for short) is a rule-based formal framework for modelling 
the evolution of architectures of distributed systems. Rules allow ADR graphs to be refined. After 
equipping ADR with a simple logic, we equip rules with pre- and post-conditions; the former con- 
straints the applicability of the rules while the later specifies properties of the resulting graphs. We 
give an algorithm to compute the weakest pre-condition out of a rule and its post-condition. On top 
of this algorithm, we design a simple methodology that allows us to select which rules can be applied 
at the architectural level to reconfigure a system so to regain its architectural style when it becomes 
compromised by unexpected run-time reconfigurations. 

1 Introduction 

Modern applications are very rarely developed as "stand-alone" software; as a matter of fact, even simple 
applications are nowadays open in the sense that they are typically able to connect and/or be integrated 
with other applications such as those in service-oriented or cloud computing. Also, this kind of soft- 
ware tend to be autonomic, namely it needs to automatically adapt to the (often unpredictable) run-time 
changes. 

Openness magnifies the complexity of such software. In fact, open systems are subject to unex- 
pected reconfigurations that may hinder their execution and drive computations into erroneous states in 
an unanticipated manner. Detecting and tackling those states of the computation at run-time is crucial 
to re-establish correct configurations from which the computation can safely restart. For example, the 
reaction to the failure of a service S, may redirect the requests of the clients to another service S' . 

A problem that can arise in those cases is that the run-time reconfigurations may compromise the 
alignment with the expected abstract architecture. In the client-service scenario mentioned above, the 
choice of 5' may cause the violation of some architectural constraints designed e.g. to balance the load. 

In this paper we propose to use high-level designs of software architectures to drive system reconfig- 
urations so that desirable architectural properties (expressed as logical invariants) are maintained when 
reconfigurations are necessary. Software architectures specify the structure and interconnections of a 
software product. Ordinary computation can change the state, but they are very rarely allowed to modify 
the architecture. In this context it is also crucial to preserve architectural styles |[T4l that allow one (/) 
to specify (reusable) design patterns, (//) to confine the parts to be reconfigured, and (///) to control the 
architectural changes. 

Our approach hinges on a formal language for specifying software architectures, their refinements, 
and their style. Methodologically, we adopt ADR ||4l as our architectural description language. As sur- 
veyed in § |2] ADR models systems as (hyper)graphs that is a set of (hyper)edges sharing some nodes; 
respectively, edges represent distributed components (at some level of abstraction) while nodes represent 
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communication ports. Also, ADR features refinement rules of tiie form L — /? wfiere L is a (fiyper)edge 
and R a (liyper)grapli meant to replace L with R within a given graph. In ADR, a system corresponds 
to a configuration of elements (i.e. nodes and edges) that can be related to the architecture graph com- 
ponents and expected to respect the architectural style specified by the refinement rules. Such elements 
can interact through their connections according to run-time interactions (run-time reconfigurations) not 
represented at the architectural level. A main reason for adopting ADR is that it has been designed 
to support the alignment of architecture-related information with run-time behaviour in order to drive 
execution. 

A technical contribution of this paper (§[3] and §[4]l is to generalise ADR with asserted productions, 
that is refinement rules of the form 

{ V^jL — )• R{(p} where y and cp are the pre- and post-conditions, respectively (1) 

The intuition is that ([T]) can be applied only to graphs satisfying y to obtain a graph satisfying (p. For 
this, we use a simple logic for hyper graphs. 

In ADR, architectural styles are formalised in terms of productions that describe the legal configu- 
rations of systems. We generalise this by envisaging architectural styles as set of productions together 
with invariants (expressed as closed formulae of our logic) which can be thought of as contracts that 
architectures have to abide by. 

The main result of the paper is an algorithm (§ |5]l to compute the weakest pre-condition from the 
post-condition of a production. Also, we use such algorithm to devise a methodology to re-establish the 
architectural style specified for a system when run-time reconfigurations compromise it. 

Synopsis A short overview of ADR is given in §|2](for simplicity, we do not describe ADR reconfigu- 
ration; the interested reader is referred e.g. to [4| for the technical details). We introduce a simple logic 
for ADR in §[3] Basic definitions to specify our algorithm are in §|4] while the algorithm is in §|5] In §[6] 
we describe a methodology that relies on the algorithm in § |5] to recover architectural styles compro- 
mised by run-time reconfigurations. An application of the methodology is given in §|7] Related work are 
discussed in § [8] Concluding remarks and future work is in § |9] 

2 A walk through ADR 

We briefly overview ADR; we borrow from [4j the main definitions and notations (slightly adapting them 
to our needs). 

In the following, ^ and C; are two countably infinite and disjoint sets (of nodes and edges respec- 

def I 

tively), X* = {(xi,... ,x„)\xi , . . . ,x„ G X} is the set of finite lists on a set X, and x ranges over X*. Also, 
abusing notation, we sometimes use x to indicate its underlying set of elements. 

Definition 1 ((Hyper)graphs). A (hyper)graph is a tuple G = {V,E,t) where V C and £" C G; are finite 
and t : E ^ V* is the tentacle function. 

Given a graph G, we denote with Vg, Eg, and to its nodes, edges, and tentacle function, respectively. 
An edge e £ Eg is connected to a list of nodes via ?g and the arity of e is the length of tG{e). 

Definition 2 (Graph morphism). Let G and H be two graphs. A graph morphism from G to H is a 
pair offiinctions (ay : Vg — >• Vh,cJe '■ Eg Eh) s.t. Oy and Oe preserve the tentacle fiinctions, i.e. 
<^v = tH ° <^E> where Oy is the homomorphic extension of Oy to Vq. 
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In ADR, graphs are typed over a fixed type graph via typing morphisms. A graph G is typed over a 
type graph F through To if % is a morphism from G to T. 

Definition 3 (ADR graph). Let T be a type graph equipped with a map r\ :Ey ^ {0, 1}. An ADR graph 
G is a (hyper)graph typed over T through Tg if Tg is a morphism from G to T; we call e € Eg terminal if 
T](a(e)) =0 and non-terminai if rj {a (e)) = 1. 

This is reminiscent of string grammars where terminal symbols correspond to terminal edges and 
non-terminal symbols to non-terminal edges. 

Example 1. Let V = {•} C and £" = {C,BF,FF,Fls,Fl,P,PF} C (£. Consider the type graph F = 
{V,E,t,ri) where t : C ^ {•) and t : e (•,•) for each e G £'\{C}, with T](e) = if e e {C,FF} and 
ri{e) = 1 otherwise. The graph G = {{ui, . . . ,un} ,{f f ,fl\,fl2\ ,t') where t' is defined as t' : ff ^ 
(m2,mi), t' : fli ^ (m3,M2), and t' : fh ^ ("4, "2) can be typed on T by Tg mapping all the nodes to •, 
fh and fh to Fls, and // to FF. o 

Hereafter, we fix a typed graph Y and tacitly assume that all graphs G are typed over T via a morphism 
Tg- Intuitively, Y yields the vocabulary of the architectural elements to be used in the designs; moreover, 
r specifies how these elements can be connected together (e.g., as in Example[T]l. 

Type and typed graphs have a convenient visual notation. Nodes are circles and edges are drawn as 
(labelled) boxes; single- and double-lined boxes represent terminal and non-terminal edges, respectively. 
Tentacles are depicted as lines connecting boxes to circles; conventionally, directed tentacles indicate the 
first node attached to the edge and the others are taken clockwise. The visual notation for typed graphs 
include the graph and its typing morphism. Nodes are paired with their types while an edge label e : e' 
represents the fact that the typing morphism maps the edge e of the graph to the edge e' of the type graph. 



Example 2. In the visual notation described above, the type graph F and the graph G of Example [T] can 
be respectively drawn as 



FF 



ff : FF 





Ifll 


Fls| 


/ 








|fl2 


Fls| 



"3 



H4 



where, to simplify the type graph, we use e E {BF,Fls,Fl,P,PF} (instead on drawing an edge for each 
non-terminal edge of P. o 



Definition 4 (Typed Graph morphisms). A morphism between T-typed graphs / : Gi — )• G2 is a typed 
graph morphism if it preserves the typing, i.e. such that Xqi = ^2 ° f- 

Definition 5 (Productions). A (design) production p is a tuple {L,R,i : Vl — )■ V^) where L is a graph 
consisting only of a non-terminal edge attached to distinct nodes; R is an ADR graph (with both terminal 
and non-terminal edges); the nodes in Im(i) (the image ofi) are called interface nodes. 

Design productions can be thought of as rewriting rules that, when applied to a graph G, replace a 
non-terminal (hyper)edge of G matching L with a fresh copy of R (we remark that our morphisms are 
type-preserving). Also productions have a suitable visual representation illustrated in the next example. 
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Example 3. The graphical representation below represents a design production. 




Since the production above will be used later (cf. Example [7]) we will refer to it as bookFlight. The 
left-hand-side (LHS) of bookFlight is an edge of type Fls (denoted in the left-upper corner of the 
dotted-box) whose nodes are those outside the dotted box; we omit the identities of such nodes when 
immaterial. The right-hand-side (RHS) of bookFlight is the graph inside the dotted box. The mapping 
/ of bookFlight is represented by the dotted lines. o 

The application of asserted productions (cf. Definition |9]l encompasses that of ADR productions 
hence we give here only an example to illustrate how productions are applied. 

Example 4. Consider the production bookFlight of Example [3] In the following rewriting 



fls : Fls 



bookFlight 




the unique edge of type Fls in the leftmost graph is replaced by an instance of the RHS of bookFlight. 
Note that the rest of the graph (consisting only of the edge //) including the interface nodes is left 
unchanged while a fresh node U2 is created. o 



3 A logic for ADR 

We use a simple logic tailored on ADR. Basically, our logic is a propositional logic to predicate on 
(in)equalities of nodes. In the following we let D,D' range over edges of P. 

Definition 6 (ADR logic). Let V be a countably infinite set of variables for nodes ( ranged over by 
x,y,z, . . .). The set ^ of (graph) formulae /or AD/? is given by the following grammar: 

Y,(p::= x = y | T | ^(p \ (piA(f>2 \ VD(x).(p 

In formulae of the form VD(x).(p, the occurrences ofyGxin (p are bound, x has the length of the arity 
ofD and x are pairwise distinct. 

Logic is parametrised with respect to the type graph T used in quantification. Variables not in the 
scope of a quantifier are free and the set fv((p) of free variables of <p G ^ is defined accordingly; also, 
we abbreviate xi = X2 A . . . Ax„_i = x„ with xi = X2 = . . . = x„_i = x„ and we define _L as -iT, x / y as 
-■(x = y), <pV V''as -■(-■(p A-iv), <p — > as -■(jO V i/a , and 3D(x).(p as -■VZ)(x).-i(jf). 

The models of our logical formulae are ADR graphs. 
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Definition 7 (Satisfaction relation). An ADR graph G satisfies q) £ ^ under the assignment /j : V — Vg 
(in symbols G\=h (p) iff 

(p = T, or 

<p = X = y and h{x)=h{y), or 

9 = -19' and G\^h^\ or 

9 = <pi A 92 and G \=h <Pi and G \=h 92, or 

9 = VD(x).9 and G ^/i[xh^(7] 9 for any d{ii) €z G s.t. TQ^d) = D 

Note tliat in the last case of Definition|7} each bound variable in x) is replaced with a node. 
Fact. For each h,h' : V — > Vg, if /z|fv((p) = f^'\f\{(p) then G \=h 9 iff G \=h' 9. 

By the above property, in G |=/, 9 we can restrict to finite mappings h that only assign variables in fv(9). 
Hereafter, we write G |= 9 when fv(9) = 0. 

Example 5. The formula <pex = VD(x,y).3D'(z).x = z describes graphs such that each edge of type D is 
connected to one of type D' on the first tentacle. For instance, consider the graphs 



Gvalid ■ 



«2 



M4 



di 


D 




d2 


D 



"1 



d':D' 



^invalid 



in 



"4 



di 


D 




d2 


D 



«1 



"3 



d':D' 



then Gvalid satisfies (/>ex whereas Gmvaiid does not because is not connected to any edge of type D' . o 

More interesting formulae are given in the next two examples. 
Example 6. The formula 



def , 



noEdge(D) = VD(x)._L 
characterises the graphs that do not contain edges of a given type. 



(2) 
o 



Formulae of the form Q will be used in Definition 1 1 (hereafter, we write noEdge(Di , . . . ,D„) for 
iioEdge(Di) A . . . AnoEdge(D„)). 

The next example shows that, despite its simplicity, our logic is quite expressive when "taken modulo 
productions". 

Example 7. By the production below, a non-terminal edge of type C can be replaced by a chain of two 
edges of type C. The formula path D C requires instead that any two different nodes attached to an edge 
of type D are connected by an edge of type C. 



. U2 



, def 



-I cl :C l»»-| c2:C 



path DC = VZ)(x,y).x / y 3C(u, v).(x = u Ay = v) 



The production and the formula above characterise graphs that contain paths of edges of type C between 
any two distinct nodes connected by an edge of type D. Note that even though there is no edge of type D 
in the production, path D C quantifies over edges of type D in the graph. o 
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Figure 1 : Asserted design productions 



4 Design by Contract for ADR 

Our notion of contracts hinges on asserted productions, namely ADR productions decorated with pre- 
and post-conditions expressed in the logic ^ given in § [3] 

Definition 8 (Asserted productions). If p = {L,R,i) is a production, : V — )• and y/^, <p G then 
{Y,h} p {(p,h'} is an asserted production ijfh{f\{^)) C Vl, and /i'(fv(<p)) C Vr. 

An asserted production generalises ADR productions and it intuitively requires that if p is applied 
to a graph G that satisfies i/a then the resulting graph is expected to satisfy (p. The maps h and h' in 
Definition [8] allow pre- and post-conditions to predicate on nodes occurring in the LHS or the RHS of p. 

An instance G' of a graph G is a graph G' isomorphic to G that does not share nodes or edges with 
G. The application of an asserted production to a graph consists of replacing an homomorphic image of 
the edge of the LHS with a new instance of the RHS and then connecting it to the interface nodes. This 
is formalised in the next definition and schematically illustrated in Figure [T] 

Definition 9 (Applying asserted productions). Let p = {L,R,i) be a production, G a graph, and a a 
morphismfrom L to G. We say that n = { V^,/?} p {(p,h'}, an asserted production, is applicable to G via 
aiffG ^CTo/i W- 

Given an instance R' ofR through the isomorphism l .R^R' such that Eri n Eq = and Vri H Vg = 
a graph {G' =)G[o{e) ^R"] is the application of TT to G wrt a iffR" =R'[l{r) ^ o{i^^{r)) | r G Im{i)]. 
A production n is valid when any application of K to a graph satisfying the precondition of K yields a 
graph satisfying the post condition of K. 

Examples [8] and [9] show how asserted productions are applied to graphs. 

def def 

Example 8. Let i//^ = VFls(x,y).x / y and let n = {^f,^} bookFlight {0,0} be an asserted production 
of bookFlight given in Example [3] If G is the leftmost graph in the rewriting of Example |4| then we 
have G ^ i/A (under the unique morphism a from L to G). In fact, x and y are mapped to the same node 
u\ of G. o 



Example 9. The rewriting below 



//:FF 



//:FF 



II \ 



fls : Fls 



bookFlight 



/:F1 



"2 



U3 



is obtained by the asserted production n in Example |8} according to Definition |9] edge fls on the left is 
replaced by an isomorphic instance of R preserving the interface nodes ui and u^. o 
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We remark that Definition [9] generalises the rewriting mechanism (hyper-edge replacement) f6^ of 
ADR, in fact {T,0} p {T,0} applies exactly as normal ADR productions. 

5 Extracting contracts for ADR productions 

The application of an asserted production p {(p,h'} to a graph satisfying y does not necessarily 

yield a graph satisfying (p (this can be trivially noted by taking a production with _L as post-condition). 
We give an algorithm to compute the weakest pre-condition given a post-condition and a production in 
the style of the seminal work on predicate transformers of Dijkstra [7|. We first give some auxiliary 
definitions and notations. 

Hereafter, bound variables in a formula are assumed distinct from its free variables and bound only 
once. An environment S" is the product of three finite partial maps S'^^^ : V — )■ {V, 3}, (f'^' : V — )■ Ey, 
and : V — )• Hereafter, we write for the empty environment, £'{x)=qDG when x is quantified 
by ^ G {V,3} (that is (f(')(x) = q), attached to an edge of type D (that is = D), and mapped to 

node of G (that is S'^^^ (x) G Vg); if G consists of a node n, we simply write £'{x) = qDn. Also, we use 
"_" as a wild-card writing e.g. S'{x) = q_G when we are not interested in the type assigned to x (i.e., 
<f (x) =q_G abbreviates ^(i)(x) = q and <^^'^\x) G Vg). 

def 

Definition 10 (Auxiliary Mapping). Let p = (L,i?, /) be a production. We write R° = V/? to denote 

- def 

the internal nodes of p, and R = ^\Vr to denote the nodes outside p. Given Yi^V2jV3 ^ ^ 



e<?xi=X2 (,<S j 



T if(^{xi) = 3_n,S'{x2) = 3-nandneR° 

± if^{xi)=y .R° and{<^{x2)=3-Rorc^{x2) = 3-Im{i)) 

± if(^{xi)=y_R°, ^(3) (x2) G R° and ^(3) (x^ ) ^ <f (3) (X2) 

ifS{xx)=\/.R°and^{x2)=yDR 
V2 if'S'ixi )=yDnand (xj) = y D' nandneR° 
1/^3 Otherwise 



that, depending on (o, returns either Yj> T, or _L. 

The map eq^'^-^^'^^ in Definition 10 is parametrised with i/Ai, i//2, and v/3. Intuitively, 



eqxl=xT^'^^ {S') inspects the environment and returns T, _L, i/Ai, i//2, or i//3. The variables xi and X2 in 
an equality are quantified/assigned in S". More precisely, 

• eqx^-^''^^ {S") returns T when xi and X2 are both existentially quantified and assigned to internal 
nodes of R, the RHS of p, then the application of p guarantees the equality xi = X2 regardless the 
graph it is applied to; 

• eqx'Xx'^^'^^ {^) returns _L when one of the nodes, say xi is universally quantified and assigned to 
an internal node of R while X2 is either not internal or internal but assigned to a different node than 
xi; 

• in the other cases, eqx'Xx'^''^^ {^) returns either i/^i, i//2, or i//3; as it will be more clear after 
Definition [TTJ such conditions state the absence of some edges from the graph p is applied to or 
the validity of a suitable node equality. 

A formula G ^ is in negation normal formal form when it is closed and negation occurs only in 
front of equalities. It is trivial to see that all formulae of ^ have an equivalent negation normal form. 
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Definition 11 (Weakest pre-conditions). Let p = {L,R,i) be a production, S an environment and Z = 
{zi , . . . , Zm} C V where m is the arity ofL, (p E ^ in negation normal form, h : fv(<|p) Vr be injective, 
and h-.Z^Via bijection. 

The predicate '^^{p, <p) ^ "^d^/^ {^) f\wp^i^^g{(p) — where the predicate transformers wd^^{(p) and 

'^^^ defined below — is the weakest pre-condition of p with post-condition <p under h, h. 

The maps wd'^^{(p) and wp'^''^{(p) are defined below where, in the clauses for quantifiers VD(x)._ 
and 3£)(x)._ we assume that {vi, . . . , v„} C.R is a fixed set of (representative) external nodes. Also, the 
condition uonR D holds iffur\R° = Q) when R does not have edges of type D. 

W4''^(xi =X2) = ^^P,noE<ige(D>,noEdge(D,D'),V(^) 

w4''^(xi/x2) = -e^^;ikl'^"^(<^) 

wd'/iT) = T 

wd'/{(^A(^') = wd'/i(^)Awd'/i(^') 

wd'/{^y^') = wd'f{^)^wd''fm 

wd'/{^D{yC)4) = A 

u on R D 

where x = xi , . . . , x„ and U = m,. . . ,Un G {Vr U {vi , . . . , v„})* 
and S" = S'[xj ^ (V,D, uj) \ j = I, . . . ,n\ 

wd^f{^D{yC)4) = V ^d'j^i^) 

u on R D 

where x = xi , . . . , x„ and m = wi , . . . , m„ G (Vr U {vi , . . . , v„})* 
and S" = S'lxj i->- (3,D, uj) \ j = I,. . . ,n] 

„,„M^y, _ p,noEdge(D),noEdge(Z),D'),yi=y2/ 

^Ph,s'v^i — — «?^xi=x2 (<3; 

where yj = h^^{i^^{h{xj))) ifh{xj) G Im{i), and yj = xj otw 

where yj = h^^{i^^{h{xj))) ifh{xj) G Im{i), and yj = xj otw 

<J(T) = T 

H'<i(<?'A(^.') = w;^{(<^.)Aw;,(i(<^.') 

H'<i(</'V<^') = wpg(0)VwpfJ(./.') 

y^p'hii^D{x).<i>) = A 

u on R D 

where x = xi , . . . , x„ and U = ui, . . . ,Un £ {Vr U {vi ,...,v„})* 

and S" = <§[xj {y,D,Uj) \ j = \ , . . . ,n] 

wp(i(3D(x).0) = V (3D(x).wp^J(0)Vw<;i(0)) 

u on R D 

where x = xi , . . . , x„ and u = ui, . . . ,Un G {Vr U {vi , . . . , v„})* 
and S' = S\xj ^ {3,D,Uj) \ j = I,. . . ,n] 

The weakest pre-condition is the conjunction of the predicates computed by the predicate transform- 
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ers wd^^ and wp^ '^-^''^ on the post condition (p. The first transformer simply checks that the production 
p can guarantee the post-condition for some pre-condition. 



The most interesting cases in Definition 1 1 are the ones for equality xi = X2 dealt by the auxiliary 



map eqxl=x^^'^^ {S"). If both xi and X2 are existentially quantified and assigned to the same internal nodes 
of p, the calculated weakest pre-condition is T; in fact, whatever graph the production is applied to, the 
post-condition would be guaranteed by the RHS of p. Instead _L is returned when say xi is universally 
quantified and (/) X2 is assigned to an interface node and it is existentially quantified variable, or (//) 
it is assigned to an internal node of R different from the one assigned to X2. (Note that in (/) if X2 
were universally quantified, there might be a chance to guarantee the equality if no edges of the type 
quantifying the variables were in the graph p is applied to.) In fact, eq^lZxY^'^^ {S') returns _L if (/) xi is 
mapped to a fresh node in the RHS of p (i.e., an internal node of p) while X2 is mapped to a node outside 
p or (//) if they are mapped to two fresh nodes of the RHS of p because the semantics of ADR does not 
allow such identifications on the internal nodes of a production. The equality xi = X2 may hold if xi and 
X2 are mapped on the same internal node provided that no edge in the graph p is applied to is typed as 
the type of the edges insisting on the variables, otherwise the universal quantification will be spoiled. 
Likewise, if both variables are universally quantified but one is internal and the other is external (not 
in p), then the weakest pre-condition returns noEdge(D) where D is the type of the external variable. 
Intuitively, the graph resulting from the application of to a graph with an e edge of type D, would 
violate the quantification of xi and X2 since e cannot insist on fresh nodes introduced by p. In all other 
cases, wp^'^(xi = X2) requires the initial graph to satisfy the same equality on the nodes corresponding 
to the variables of the post-condition; this requires that if either xi and X2 are assigned to an interface 
node (that is h{xj) G Im{i)) it has a counterpart variable z e {zi , . . . , z,„} mapped (through h) on the node 
/^^(xi) or /^^(x2) in L. 

The remaining cases are trivial but for the quantifications VD(x).0 and 3D(x).(/) where the com- 
puted pre-conditions require to be satisfied under any "reasonable" assignment to x for the universal 
quantification or one "reasonable" assignment to x for the existential quantification; this means that such 
variables are assigned in any possible way either to nodes in /? or to a fixed set of nodes vi , . . . , v„ outside 
R; the choice of such nodes is immaterial the crucial point being just that they refer to nodes outside R 
(i.e., as many as the variables in x). 

Proposition 1. If and (p are logically equivalent ^-formulae, then wd^^{Y) (resp. wpf^'g{Y)) is 
logically equivalent to wd'^^{q)) (resp. wpl'g{q))). 

The next example shows how to compute weakest pre-conditions. 

Example 10. Consider <p G ^ and the production p below; let R be the RHS of p: 

(p = VB(x,y).VC(z).y = z p'^'^ 



o - b : B 



The first step to compute W^[p^ 0) =^h'Jq'^(<p) Awp^ q(<p) where h refers to the interface nodes applies 
the quantification case in Definition [TT] and yields 

( A A ( A VB(x,y).wp^;|(<p')) 

7=1,2,3 7=1,2.3 
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given that = {x (V,B,Mi),y ^ (V,B,m)}, ^2 = {x ^ (V,B,Mi),y (V,B,vi)} and = {x 
(V,S,vi),y I— )• (V,B,V2)} are the only assignments to consider (since vi and V2 are representative nodes 
outside R while ui the unique node on R's interface, and u its unique internal node). 

The second step applies again this case for VC(z) (for both wcfgj {(p') and w/Jq'^^ W)) and yields 

( A ^d^dU^ip")) A ( A VB(x,y).VC(z).w;.^;|,^^(<p")) 

i,k=4,5 j,k=4,5 

where S'4 = {z\-^ (V,C, and = {z 1— )• (V,C, vi)}; in fact there is no edge of type C in the RHS of 
p (hence vi is representative external node and ui is its unique interface node). 
Finally, applying the auxiliary map eqx%xj^'^^ {(o ) for node equality, we get 

K^dspsS"?") = (TAnoEdge(C))A(TAT)A(TAT)=noEdge(C)(3) 
/\VB(x,y).VC(z).wp^'|.Lj^^((p") = VB(x,y).VC(z).noEdge(C) A VB(x,y).VC(z).3; = z (4) 

Note that, the weakest pre-conditions is the conjunction of (|3) and Q, that is 

W,^ip,(t)) = noEdge(C) A VB(x,y).VC(z).noEdge(C) A VB(x,y).VC(z).3; = z 

this is consistent with the fact that (/) can only be satisfied by graphs that do not have any edges of type C 
due to the internal node u introduced by the production p. o 



Theorem 1. Let p = {L,R,i) be a production, <p G h : fv((p) — ^ Vr be injective, /j : Z — > be a 
bijection, and n be the asserted production {W^[p^ p For any ADR graph G and morphism 

from L to G, if G |=/,o,- 'If'^^P, <p) then 7r(G, a) |=/, 9. 

Theorem 2. For any closed formula i/a such that {v^,/j'} p {<?>,/z} is a valid production then i/a implies 



6 A methodology for recovering invalid configurations 

In this paper, we envisage architectural styles as formalised by a set of ADR productions combined with 



a closed formula of our logic specifying an invariant of the system as illustrated in Example 1 1 below. 
Example 11. Consider the run-time reconfiguration 

badServer(^ 



c 



m 



c 



where S changes as illustrated to model a failure F. By imposing an invariant that states that every client 
has to be connected to a non-failed server, the invalid configuration can be identified and recovered, o 

We give a basic methodology for recovering a system to a valid state when run-time configurations 
compromise it. We will assume that ADR graphs may be subject to run-time changes. Instead of giving 
a formal definition for such graph rewritings, for the sake of this paper it is enough to consider simple 
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local rewritings whereby edges may become corrupted and in turn compromise the desired architectural 
style in terms of the specified invariant. In §|9]we briefly discuss more complex methodologies that we 
plan to consider in the future developments. 

We are interested in computations that start from a system configuration, say ^o. that corresponds 
to an initial graph, say Go, supposed to satisfy the invariant, say <pi„^. The system may evolve at run- 
time through a series of reconfigurations (r,) that are reflected at the architectural level as schematically 
represented in the diagram Q below (where G; h Si stands for Si can be parsed as G,): 

Go — ^ Gi — ^ ••• — ^ G^_i Gfc — > ••• 

T T ••• T T ••• (5) 

Sq Si ^ ••• Sk-\ Sji -w 

We assume that most of the run-time reconfigurations produce graphs that do not violate (/>inv- Occasion- 
ally, the graph obtained by a run-time reconfiguration, say G;, may violate 0inv- Our approach essentially 
computes how to rewrite graph G; to a graph G,+i satisfying <pi„^ and then reflect this into si by means of 
reconfigurations leading to a state si^i with architecture G;+i. 

We propose a simple methodology that can select a production that when applied to G, induces a 
reconfiguration of the violating system into a state whose style satisfies 0inv- We assume a monitoring 
mechanism that triggers our methodology whenever a reconfiguration yields to an invalid system. 

Once, the productions and an architectural invariant <pinv yielding the architectural style of interest 



are established (as done in Example 111, our methodology consists of the following steps: 

1. The architecture (say G) corresponding to the configuration of the current system is computed 
through ADR parsing. 

2. Check that G satisfies ^inv- 

3. If Gl^ (pinv then, for each production p, compute the weakest pre-condition (j) wrt (piav 

4. Select a production p (if any) such that G\= <p and apply it to G to determine the reconfiguration 
needed for the system to reach a valid state. 

In step [TJ we rely on the parsing mechanism of ADR (cf. Pl) whereby productions can be used 
"backward" to retrieve the architecture of a configuration. For space limit, we do not present the parsing 
mechanism and refer the interested reader to 0. In step[2| we assume that an underlying monitoring 
mechanism uses the |= relation of our logic to determine if the graph G computed in step [T] violates 
the invariant. In such case, step |3] uses the algorithm on each production to compute their weakest 
preconditions (this step does not need to be re-iterated at each reconfiguration). Finally, in step [4j if 
the architecture of the violating system satisfies one of the computed preconditions, such production is 
a candidate to establish a new architecture and trigger the appropriate reconfigurations on the invalid 
system. Note that the morphism that invalidate G \= (pinv indicates which part of the system has to be 
rewritten, while the production p suggests plausible reconfigurations. 

In §[7] we apply the methodology above to a small example. 



7 Applying the methodology 

We consider a scenario where a flight search engine allows users to book flights. 

First, we use the type graph in Example [2] to model our scenario in ADR. Note that, in the type 
graph of Example [2j there is only one type of node • while the types of edges are C (for clients), BF 
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|7rrFl]| ->- ^|;'/:PF| 




(a) 



ciC ^ . |-//:FF-|^ .^—pTTFl^l 

(b) 

Figure 2: A simple scenario 



(for the booking flights services), FF (for the broker service finding flights), Fls (for the different flights 
available), Fl (for the flight to be booked), and P and PF (for completed or failed payment services, 
respectively). Consider the following productions: 



f indFlights 
: BF 



[/./ :FF [ »- i — ||.A:Fls|[ j>- "J 



bookFlight 



Fls 



browseFlights 
; Fls 



l/l :Fls| 



noFlights 
; Fls 



deleteFlight 



where f indFlights establishes a broker service FF, bookFlight yields a flight (Fl) connected to a 
payment service (P), browseFlights generates as many flights as necessary, and finally deleteFlight 
and noFlights respectively remove and stop adding flights to the design. 

Services can either be composed with other services using f indFlights and bookFlight like for 
instance when one chooses a specific flight and the system needs to "invoke" another service (payment 
service) to complete the request, or branch using the production browseFlights to represent the differ- 
ent flights a customer can choose from. 

Figure [2ja) shows the architectural style of a system where a client books a flight and successfully 
pays for it. Initially, the client searches for a flight by invoking the findFlight service which, in turn, in- 
vokes different airlines about their flights. Once a flight is selected a payment service is used to complete 
the transaction. 

Sometimes, failures are possible during the payment; this is modelled in Figure |2jb) where the pay- 
ment edge P reconfigures as an PF edge. We show how to apply our methodology in this scenario. 
The style we consider consists of the productions above and the invariant 



</>Fl 



3Fl(xi,Xi). 3P(X2,X2). Xi =X2 



that specifies that some flight Fl has to be connected to a successful payment P. 

Following the methodology presented in § [6} we need to check if graph Gt given in Figure [2jb) 
satisfies the invariant 0fi and find that Gb ^ 0fi. In fact, there is no edge of type P in Gt, so we invoke 
'W^{p,^-\) on every production p where /j is (since is a closed formula) and h maps the inter- 
face nodes of p. We have WQ{p,(j)Fi) = 0fi for all p / bookFlight whereas, for p = bookFlight, 

KiP,(hi) = T. 

We show that "^^{p, 0fi) acts in the same way (and yields 0fi) for any p ^ bookFlight since such 
productions do not have edges of type Fl or P in their RHS. We have to compute wd^ (0fi) Awpg q''((^i) 
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by first applying the case of existential quantification (cf. Definition 111: 

( V A ( V 3Fi(xi,x;).wpg^.((/.;,)vw4/0;,)) 

7=1,. ..,5 j=h...,5 

where = 3P (xj , X2 ) . xi = X2 . Let v i and V2 be representative nodes outside the RHS of the productions 
above, ui and U2 be interface nodes of the productions. The assignments 

(fi = {xi^(3,Fl,Mi), x'i^(3,Fl,vi)} 

^2 = {xi ^ (3,F1,M2), x'i^(3,Fl,vi)} 

^3 = {xi^(3,Fl,vi), x'l ^ (3,Fl,Mi) } 

A = {xi ^ (3,Fl,vi), x;^(3,Fl,M2)} 

^5 = {xi^(3,Fl,vi), x;^(3,Fl,V2)} 

are the only ones to consider for the first quantification. Instead, for the other existential quantification 
3P(x2,X2) yields 

( V H'4u4('^Fi)) A ( V 3Fl(xi,x;).3P(x'2,X2).wp(^^u4('^Fi)Vw4u4('^Fi)) 

j,k=7....Al ;,/t=7,...,ll 

where is the equality xi = X2 and the assignments (f?, . . . are: 

^7 = {X2^(3,P,M1), X'2^ (3,P,Vi) } 

4 = {X2^(3,P,M2), x'2^(3,P,Vi)} 

^9 = {X2^(3,P,V1), X^^(3,P,Mi) } 

<^10 = {X2^(3,P,V1), X^^(3,P,M2) } 

^11 = {x2^(3,P,Vi), X^^(3,P,V2)} 

Finally, applying the case for node equality in the auxiliary map eqxi=xf^'^^ {£') of Definition 1 1 we get 

V>^4,u4(</'fi) = TVTV--- = T (6) 

J,k 

V3F1(xi,x;).3P(x'2,X2).w;;^'^^u4(</'fi) = (<^i V ±) V (0fi V ±) \/ . . . = (hi (7) 

which yield W^{p, (pYi) since (|6) and ([7]) respectively correspond to wd^{(j)pi) and w/j^ q(^fi)- 

We now consider p = bookFlight and show that ^''(;?,0fi) = T. As in the previous case, we 
consider the quantifications for which we have to consider the extra mappings due to Fl and P: 

A = {xi 1-^ (3,F1,m),Xi 1-^ (3,F1,M2)} 
= {X2^ (3,P,Ml),X2^ (3,P,m)} 

where ui and are the production's interface nodes as before and u is its unique internal node. By the 
quantification cases we have 
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where 7 = 1 , . . . , 6 and k = 7,...,l2. 

Finally, applying the case for node equality in the auxiliary map eqx[^^^'^^ {S) of Definition 

get 



11 



we 



V>^4,u4('/'fi) = TVTV--- = T (8) 
V3Fl(xi,x;)3P(x'2,X2)w;.gJ^.u^^((/);;) = (3F1(xi,x;).3P(x'2,X2).T V T) V . . . = T (9) 

Note that the weakest pre-conditions is the conjunction of ([8]) and (|9]), that is {wd'^{^x) /\wp^''l{^Yi)) = T 
The next step requires that we check whether the graph Gb given in Figure |2];b) satisfies any of the 
weakest pre-conditions computed. G/,i^ 3F1(xi,x']^).3P(x2,X2).xi =X2 but instead |= T and therefore 
we know that by applying the production bookPlight we get a graph that satisfies the invariant 0fi- 



8 Related work 

Formal approaches based on architectural styles to control architectural reconfigurations have been pro- 
posed, among other, in |[Tn iTl[T2ll4l. In those proposals reconfigurations are typically applied uniformly 
across the design. For instance, in |fT2l l45 graph grammars and hyper-edge replacements are used to 
represent styles in terms of graph configurations freely generated by some productions (and it is not easy 
to specify conditions to extract subsets of such graph-languages). 

Our work mitigates this effect by means of asserted productions that provide a finer control on the 
applicability conditions as done in other graph-transformation approaches. For instance, our approach 
is similar to the one in ifTOl where graph programs are extended to programs over high-level rules with 
application conditions; on such programs weakest pre-conditions can be defined automatically. Nev- 
ertheless, llTOl aims at verifying computational properties of systems rather than architectural ones and 
does that in a different way only after generating the various state systems. In |9| constraints on the 
architecture are used to guarantee invariants of systems. More precisely, reconfigurations can occur only 
if such constraints are not violated. This is not always realistic in open systems, therefore they do not 
impose limitations on run-time reconfigurations and search for new reconfigurations that can lead the 
system in a desired state. 

In in an assume-guarantee mechanism is adopted to provide a learning algorithm which provides an 
assumption satisfying a sufficient condition in order for the component to guarantee the given invariant. 
This is achieved by model checking every component of the system against an invariant. This is similar 
to the weakest pre-condition we present in this paper but instead of computing the weakest assumption 
for every component of the system we compute the weakest pre-condition for every design production. 
We can later use our algorithm for applying the methodology described in § |6]for identifying the possible 
design production(s) (if any) to aid in fixing the architectural violation of the system. 

In |2| the authors present an approach for designing safe systems by inspecting whether certain 
reconfigurations can lead to invalid graphs that represent invalid systems. This is achieved by verifying 
that the backward application of reconfigurations to a forbidden graph pattern cannot lead to a graph 
pattern representing a safe system (a set of forbidden graph patterns model an invariant). This method 
can provide a safe system in the sense that it cannot lead to a state that violates a structural invariant by 
the use of reconfigurations but it is very complex to handle unexpected system failures. 

In im self-healing systems are modelled by specifying different types of rules; for the ideal system 
behaviour, for different predictable failures and for fixing the different failures identified earlier. This 
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approach is different to what we propose in this paper as they design the rules according to the misbe- 
haviours they expect at run time and do not necessarily handle unexpected failures or changes of the 
system. 

Different approaches to specify self-managing systems are surveyed in Q. The authors group the 
different approaches according to their ability to select different reconfigurations that should occur to 
re-establish a correct state. They present three type of selections namely, called pre-defined selection (a 
reconfiguration is chosen prior to the execution based on a pre-defined selection), constrained selection 
from a pre-defined set (a reconfiguration designed for the given situation is chosen) and unconstrained se- 
lection (unconstrained choice regarding the appropriate change to make). All the approaches presented in 
the survey lie in either of the former two categories and according to [31, none of the approaches survyed 
falls in the unconstrained selection category. Our approach does not lie neither in the pre-defined nor in 
constrained selection categories. It is not cleai" to us if our approach can be considered an unconstrained 
selection. In fact, we do not choose the reconfigurations to apply according to the misbehaviours ex- 
pected at run time. Instead we use our weakest pre-condition algorithm to identify which of the existing 
configurations (not designed for the specific violation) can re-establish the architectural style of our sys- 
tem. We remark that most of the rules given at design time typically are meant to specify the architectural 
style of a system, not its misbehaviours (for instance, in ADR this might be addressed with reconfigu- 
ration rules rather than productions). However, even if some productions were introduced to tackle (or 
prevent) some misbehaviours, our approach enables such rules to be used also for unexpected violations. 



9 Conclusion and future work 

We introduced a methodology inspired by Design by Contract (DbC) (13] to guarantee properties of 
architectural designs. Technically this is achieved by (/) equipping ADR with a logic tailored to express 
such properties and (//) devising an algorithm to compute weakest pre-conditions for ADR productions. 

Albeit very simple, our logic can express rather interesting properties (cf. Example |6]l. It allows us 
to improve the expressiveness of ADR and to specify interesting properties exploiting the 'hierarchical 
nature' of ADR graphs. This paper is a first step in the exploration of the use of DbC in architectural 
style reconfigurations. 

Using our methodology we can fix architecturally our graphs, provided that we have the appropriate 
productions to do this. Currently, our methodology works if there is a single production for recovering a 
failure, but we see this work as a first step towards the more realistic situation where to tackle failures one 
tries to apply a number of productions. More precisely, one could compute a sequence of productions 
by iterating the methodology in § [6] on the weakest pre-condition obtained at every "round" (starting 
from the invariant) until either false or a valid style is reached. We note that this opens other interesting 
questions. For example, when different sequences of productions are found, one could devise criteria to 
order them, or else to try to find criteria for good or best strategies. Generalising our idea for computing 
'strategies' based on many productions to recover failures could be a a very interesting future direction. 

We expect such research to lead to extensions of the logic and also like stated earlier extensions to the 
methodology to be able to handle more complex violations that might require more design productions 
to fix a system's architecture. 
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